WO2024083346A1 - Appareil et procédé de traitement de données pour une attestation d'exécution - Google Patents

Appareil et procédé de traitement de données pour une attestation d'exécution Download PDF

Info

Publication number
WO2024083346A1
WO2024083346A1 PCT/EP2022/079477 EP2022079477W WO2024083346A1 WO 2024083346 A1 WO2024083346 A1 WO 2024083346A1 EP 2022079477 W EP2022079477 W EP 2022079477W WO 2024083346 A1 WO2024083346 A1 WO 2024083346A1
Authority
WO
WIPO (PCT)
Prior art keywords
task
processing apparatus
data processing
attestation
memory
Prior art date
Application number
PCT/EP2022/079477
Other languages
English (en)
Inventor
Thomas Olivier Maurice CHEVALIER
Ioan-Silviu VLASCEANU
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2022/079477 priority Critical patent/WO2024083346A1/fr
Publication of WO2024083346A1 publication Critical patent/WO2024083346A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Definitions

  • the disclosure relates to security technology. More specifically, the disclosure relates to a data processing apparatus and method for runtime attestation. Moreover, the present disclosure relates to a remote attestation system including such a data processing apparatus.
  • a key challenge in loT security is the vulnerability of constrained microcontrollers against malicious modification of their firmware. This can be a result of reprogramming attacks performed by an adversary with physical access to the device or remote attacks which use vulnerabilities in the software implementation.
  • a popular approach to mitigate such attacks is known as attestation allowing to verify that a device runs known firmware, i.e. , it is in a trusted state. Attestation is usually defined as a process between two parties: a prover and the verifier.
  • the prover may be, for instance, a resource constrained loT device and the verifier is generally a computational more powerful device, e.g., a server back-end.
  • attestation consists of two stages: (1) generation of an evidence about its trustworthiness and (2) a secure protocol for conveying this evidence to the verifier. It is often desirable that these two stages and in particular the first stage of the attestation process, i.e. the generation of the attestation evidence are performed during runtime, in order to detect attacks that may have affected the integrity of the software during its execution.
  • Some runtime attestation approaches are known as “Dynamic Integrity Measurement” and “Control Flow Attestation”.
  • a hash fingerprint
  • the “Control Flow Attestation” approach tries to monitor the execution flow of a process and log the sequence of edges (branches) taken by the process, in order to see if the execution flow is as intended according to a known-good control flow graph generated at build time. It intends to cover mainly return-oriented or jump- oriented programming attacks, which are a mainstream type of memory-based attacks today.
  • a data processing apparatus for performing a plurality of tasks.
  • the data processing apparatus may be, for instance, an IOT device, a smartphone, a network device, an electronic control unit and the like.
  • the plurality of tasks may comprise, for instance, a sensor task for controlling one or more sensors of the data processing apparatus, an actuator task for actuating one or more actuators of the data processing apparatus, and a network task for providing wireless communication between the data processing apparatus and other network devices.
  • the data processing apparatus comprises a processing unit configured to operate a real-time operating system, RTOS, based on a security capability architecture.
  • the processing unit may comprise, for instance, one or more central processing units, CPUs, and/or one or more microcontrollers.
  • the RTOS implements a kernel, an attestation core and the plurality of tasks, wherein each task of the plurality of tasks, when executed, uses one or more of a plurality of capabilities defined by the security capability architecture.
  • a security capability architecture may comprise an instruction set and data structures in the form of capabilities as well as hardware and/or software supporting such an architecture.
  • the security capability architecture of the data processing apparatus may comprise, for instance, the instruction set known as capability hardware enhanced RISC instructions, CHERI.
  • the data processing apparatus comprises a memory with a plurality of isolated memory compartments (sometimes also referred to as “protection domains”), including an isolated memory compartment for the attestation core and a respective isolated memory compartment for each task.
  • the isolated memory compartment of each task is defined by the one or more of the plurality of capabilities of the respective task as well as data operated on by the one or more of the plurality of capabilities of the respective task.
  • Each isolated memory compartment of each task can be considered to fully encapsulate the respective task.
  • the processing unit of the data processing apparatus is further configured to monitor the integrity of the isolated memory compartments of the plurality of tasks for generating task integrity measurement data indicative of the integrity of the isolated memory compartments of the plurality of tasks thereby providing a data processing apparatus capable of ensuring its integrity during runtime.
  • the attestation core is a dedicated security task running in its own memory compartment fully isolated from the other tasks or the RTOS kernel. More specifically, the attestation core is a dedicated task isolated from the rest of the system, which may be invoked by means of a trampoline module during an exchange of capabilities between other tasks for logging and reporting the exchanged capabilities securely to a remote verifier.
  • the data processing apparatus further comprises a communication interface configured to transmit the task integrity measurement data (either in the form as initially generated by the processing unit or in a further processed form) to an attestation server.
  • a communication interface configured to transmit the task integrity measurement data (either in the form as initially generated by the processing unit or in a further processed form) to an attestation server. This allows a run-time attestation of the integrity of the isolated memory compartments of the plurality of tasks of the data processing apparatus by the attestation server based on the task integrity measurement data.
  • the attestation core is configured to record the task integrity measurement data for the memory compartment of each task and to transmit the task integrity measurement data for the memory compartment of each task via the communication interface to the attestation server periodically and/or event-driven.
  • the reporting of the task integrity measurement data may be efficiently implemented.
  • the attestation core is configured to cryptographically secure the transmitted task integrity measurement data based on one or more cryptographic keys, wherein the communication interface is configured to transmit the cryptographically secured task integrity measurement data to the attestation server. This allows to cryptographically protect the task integrity measurement data against any attacks.
  • the communication interface is configured to receive a nonce from the attestation server, wherein the attestation core is further configured to cryptographically secure the task integrity measurement data together with the nonce with the one or more cryptographic keys and wherein the communication interface is configured to transmit the cryptographically secured task integrity measurement data and nonce to the attestation server. This allows to detect replay attacks.
  • the one or more cryptographic keys are stored in the isolated memory compartment for the attestation core.
  • the processing unit is configured to define the plurality of isolated memory compartments. For instance, the processing unit may securely manage the address ranges of the plurality of isolated memory compartments.
  • the memory of the data processing apparatus may be a cost-efficient type of memory without a dedicated memory management unit.
  • the processing unit is configured to monitor the integrity of the isolated memory compartments of the plurality of tasks based on a trampoline module implemented by a trampoline code.
  • the trampoline module is invoked at each transition between the isolated memory compartments of the plurality of tasks and configured to report one or more capabilities exchanged between the isolated memory compartments of the plurality of tasks to the attestation core. This allows to efficiently monitor the integrity of the isolated memory compartments of the plurality of tasks.
  • the processing unit is further configured to initially scan the memory for determining the plurality of isolated memory compartments of the memory. This allows to efficiently determine the memory compartments, i.e. protection domains of the plurality of tasks.
  • the processing unit is further configured to store the task integrity measurement data in the isolated memory compartment for the attestation core.
  • the task integrity measurement data is protected against any attacks, for instance, from a corrupted task of the apparatus under the control of an attacker trying to modify the task integrity measurement data.
  • the task integrity measurement data comprises for each of the plurality of tasks the one or more capabilities of the respective task. This allows for an efficient generation of the task integrity measurement data based on the security capability architecture of the data processing apparatus.
  • the one or more of the plurality of capabilities of each task comprise a pointer and pointer metadata (also known as a “fat pointer”). This allows for an efficient generation of the task integrity measurement data based on the security capability architecture of the data processing apparatus.
  • the RTOS of the data processing apparatus is a single address space RTOS. Thus, the data processing apparatus may implement a RTOS not requiring sophisticated and costly processing resources.
  • the security capability architecture is based on hardware and/or software.
  • the security capability architecture may comprise an instruction set and data structures in the form of capabilities as well as hardware and/or software supporting such an architecture.
  • the security capability architecture of the data processing apparatus may comprise, for instance, the instruction set known as capability hardware enhanced RISC instructions, CHERI.
  • a remote attestation system comprising at least one data processing apparatus according to the first aspect and an attestation server configured to receive the task integrity measurement data from the at least one data processing apparatus and to attest the integrity of the at least one data processing apparatus based on the task integrity measurement data.
  • one or more reference capabilities of each task of the at least one data processing apparatus are defined by a task policy, wherein the attestation server is configured to attest the integrity of the at least one data processing apparatus based on the task integrity measurement data and the task policy. This allows to efficiently attest the integrity of the at least one data processing apparatus based on the task integrity measurement data and the task policy.
  • the data processing apparatus is configured to perform a plurality of tasks and comprises a processing unit configured to operate a real-time operating system, RTOS, based on a security capability architecture, wherein the RTOS implements a kernel, an attestation core and a plurality of tasks, wherein each task, when executed, uses one or more of a plurality of capabilities defined by the security capability architecture, and a memory.
  • the method comprises the steps of: providing a plurality of isolated memory compartments of the memory, including an isolated memory compartment for the attestation core and a respective isolated memory compartment for each task, wherein the isolated memory compartment of each task is defined by the one or more of the plurality of capabilities of the task and data operated on by the one or more of the plurality of capabilities of the task; and monitoring the integrity of the isolated memory compartments of the plurality of tasks for generating task integrity measurement data indicative of the integrity of the memory compartments of the plurality of tasks.
  • the method according to the third aspect of the present disclosure can be performed by the data processing apparatus according to the first aspect of the present disclosure.
  • further features of the method according to the third aspect of the present disclosure result directly from the functionality of the data processing apparatus according to the first aspect of the present disclosure as well as its different implementation forms described above and below.
  • a computer program product comprising a computer- readable storage medium for storing program code which causes a computer or a processor to perform the method of according to the third aspect when the program code is executed by the computer or the processor.
  • Fig. 1 shows a schematic diagram illustrating an attestation system according to an example of the embodiments of the disclosure including a data processing apparatus and an attestation server;
  • Fig. 2 shows a schematic diagram illustrating isolated memory compartments of a memory of a data processing apparatus according to an example of the embodiments of the disclosure
  • Fig. 3 shows a schematic diagram illustrating a plurality of tasks implemented by the data processing apparatus according to an example of the embodiments of the disclosure
  • Fig. 4 shows a schematic diagram illustrating a trampoline module and an attestation core implemented by a data processing apparatus according to an example of the embodiments of the disclosure for monitoring the integrity of memory compartments of the plurality of tasks;
  • Fig. 5 shows a schematic diagram illustrating a security architecture implemented by a data processing apparatus according to an example of the embodiments of the disclosure for cryptographically securing task integrity measurement data
  • Fig. 6 shows a flow diagram illustrating a method for attesting the integrity of a data processing apparatus according to an example of the embodiments of the disclosure.
  • identical reference signs refer to identical or at least functionally equivalent features.
  • a disclosure in connection with a described method may also hold true for a corresponding device or system configured to perform the method and vice versa.
  • a corresponding device may include one or a plurality of units, e.g. functional units, to perform the described one or plurality of method steps (e.g. one unit performing the one or plurality of steps, or a plurality of units each performing one or more of the plurality of steps), even if such one or more units are not explicitly described or illustrated in the figures.
  • a specific apparatus is described based on one or a plurality of units, e.g.
  • a corresponding method may include one step to perform the functionality of the one or plurality of units (e.g. one step performing the functionality of the one or plurality of units, or a plurality of steps each performing the functionality of one or more of the plurality of units), even if such one or plurality of steps are not explicitly described or illustrated in the figures. Further, it is understood that the features of the various exemplary embodiments and/or aspects described herein may be combined with each other, unless specifically noted otherwise.
  • Figure 1 shows a schematic diagram illustrating an attestation system 100 according to an embodiment including a data processing apparatus 110 (referred to as device 110 in figure 1) according to an embodiment and an attestation server 120 (referred to as verifier 120 in figure 1).
  • the attestation system 100 may further comprise a provisioning server 130 of the vendor or manufacturer of the data processing device 110 configured to provision the data processing apparatus 110 with software 135, for instance, a firmware or software image.
  • the data processing apparatus 110 may be, for instance, an IOT device, a smartphone, a network device, an electronic control unit and the like.
  • the data processing apparatus 110 comprises a processing unit 111 , which may comprise, for instance, one or more central processing units, CPUs, and/or one or more microcontrollers.
  • the processing unit 111 may be implemented in hardware and/or software and may comprise digital circuitry, or both analog and digital circuitry.
  • Digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), digital signal processors (DSPs), or general-purpose processors.
  • the data processing apparatus 110 comprises an electronic memory 115 configured to store data, for instance, a FLASH memory 115.
  • the memory 115 may store executable program code which, when executed by the processing unit 111 , causes the data processing apparatus 110 to perform the functions and methods described herein.
  • the data processing apparatus 110 may further comprises a communication interface 113, in particular a wireless and/or wired communication interface allowing the data processing apparatus 110 to communicate with the attestation server 120, the provisioning server 130 and/or other network devices.
  • the processing unit 111 is configured to perform a plurality of software tasks, which, by way of example, may comprise a sensor task 305a for controlling one or more sensors of the data processing apparatus 110, an actuator task 305b for actuating one or more actuators of the data processing apparatus 110, and a network task 305c for providing (together with the communication interface 113) wireless communication between the data processing apparatus 110 and other network devices.
  • the processing unit 111 is configured to operate a real-time operating system, RTOS, 300 based on a security capability architecture for implementing the software environment for a kernel 301 , an attestation core 303 and the plurality of tasks 305a-c.
  • the RTOS 300 of the data processing apparatus 110 is a single address space RTOS 300.
  • each of the plurality of tasks 305a-c when executed, uses one or more of a plurality of capabilities defined by the security capability architecture.
  • the security capability architecture may comprise an instruction set and data structures in the form of capabilities as well as hardware and/or software supporting such an architecture.
  • the security capability architecture of the data processing apparatus may comprise, for instance, the instruction set known as capability hardware enhanced RISC instructions, CHERI. Further details about CHERI may be found in “Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 8)”, Technical Report, Number 951 , UCAM-CL- TR-951 , ISSN 1476-2986, University of Cambridge, which is fully incorporated by reference herein.
  • the memory 115 of the data processing apparatus 110 comprises a plurality of isolated memory compartments (sometimes also referred to as “protection domains”), including an isolated memory compartment for the attestation core 303 and a respective isolated memory compartment 115a-c for each task 305a-c.
  • the isolated memory compartment of each task is defined by the one or more of the plurality of capabilities of the respective task as well as data operated on by the one or more of the plurality of capabilities of the respective task.
  • each of the one or more of the plurality of capabilities of each task 305a-c may comprise a pointer and pointer metadata (also known as a “fat pointer”).
  • each isolated memory compartment 115a-c of each task 305a-c can be considered to fully encapsulate the respective task 305a-c.
  • the processing unit 111 of the data processing apparatus 110 is configured to define the plurality of isolated memory compartment of the attestation core 303 and the isolated memory compartments 115a-c of the plurality of tasks 305a-c.
  • the processing unit 111 may be configured to securely manage the address ranges of the plurality of isolated memory compartments 115a-c.
  • the processing unit 111 of the data processing apparatus 110 is further configured to monitor the integrity of the isolated memory compartments 115a-c of the plurality of tasks 305a-c for generating task integrity measurement data 125 indicative of the integrity of the isolated memory compartments 115a-c of the plurality of tasks 305a-c.
  • the processing unit 111 of the data processing apparatus 110 may be further configured to store the task integrity measurement data 125 in the isolated memory compartment for the attestation core 303.
  • the task integrity measurement data 125 may comprise for each of the plurality of tasks 305a-c the one or more capabilities, e.g. fat pointers of the respective task 305a-c.
  • the communication interface 113 of the data processing apparatus 110 may be configured to transmit the task integrity measurement data 125 (either in the form as initially collected and/or generated by the processing unit 111 or in a further processed form) to the attestation server 120.
  • This allows a run-time attestation of the integrity of the isolated memory compartments 115a-c of the plurality of tasks 305a-c of the data processing apparatus 110 by the attestation server 120 based on the task integrity measurement data 125 and, in an embodiment, reference values defined by a task policy 145 provided, for instance, by the provisioning server 130.
  • embodiments disclosed herein allow a “runtime attestation” of the data processing apparatus 110, i.e. provide an attestation system 100 capable of proving the integrity of the plurality of tasks 305a-c and the operating system kernel 301 of the data processing apparatus 110 during the execution thereof. For instance, if a task 305a-c is behaving as expected after being started, the attestation system 100 is capable of providing trustworthy and verifiable evidence about its integrity and an external verifier instance may validate the evidence and decide whether to trust the data processing apparatus 110 and/or the task 305a-c running thereon.
  • the data processing apparatus 110 may even provide context information about where an unknown (potentially malicious) task behavior is deviating from the expected one.
  • the data processing apparatus 110 may be a low-end, microcontroller (MCU)-based device 110 which supports a security capability architecture, such as CHERI, and implements a microcontroller-class realtime OS 300, such as FreeRTOS or Huawei LiteOS.
  • MCU microcontroller
  • the data processing apparatus 110 may be a high-end, CPU-based device 110 which supports a similar security capability architecture and implements a more sophisticated RTOS 300, such as the Linux operating system 300.
  • Embodiments disclosed herein adopt a new approach in evaluating the runtime integrity of a program, i.e. the plurality of tasks 305a-c. Instead of the conventional approach of looking inside the task/program memory and trying to make sense of it, which is difficult, complex and computationally very intensive, embodiments of the data processing apparatus 110 disclosed herein allow monitoring what goes on inside a given task/program 305a-c from the perspective of the other processes operating within the data processing apparatus 110. This fundamentally different approach is illustrated in figure 2. According to embodiments disclosed herein, it may be inferred that a given task 305a-c acts as intended (i.e.
  • the data processing apparatus 110 is configured to detect whether during run-time the isolation between the different memory compartments 115a-c of the plurality of tasks 305a-c is being broken.
  • efficient runtime attestation is made possible by providing evidence in the form of the task integrity measurement data 125 on the isolation among the plurality of tasks 305a-c and whether it is preserved or not.
  • the processing unit 111 of the data processing apparatus 100 is configured to implement a security capability architecture, for instance a CHERI-based architecture, which provides spatial memory safety and memory isolation through so called “capabilities”.
  • a security capability architecture like the CHERI-based architecture extends conventional Instruction Set Architectures (ISA) to enable fine-grained memory protection and highly scalable software compartmentalization.
  • ISA Instruction Set Architectures
  • the CHERI-based architecture implemented by the data processing apparatus 110 is capable of providing memory isolation without the need for a Memory Management Unit (MMU).
  • MMU Memory Management Unit
  • the RTOS 300 of the data processing apparatus 110 may be CHERI FreeRTOS 300, which is a variant of FreeRTOS and provides isolation between the different memory compartments 115a-c of the plurality of tasks 305a-c in a single-address space system.
  • CHERI FreeRTOS 300 makes use of features of the CHERI- based architecture to restrict the set of memory regions accessible by each memory compartment 115a-c.
  • each memory compartment 115a-c may be as small as a function or as big as some code spanning several source files.
  • each task 305a-c is restricted to its “protection domain”, i.e. isolated memory compartment 115a-c.
  • the protection domain i.e. memory compartment 115a- c refers to the set of capabilities that the task 305a-c can access.
  • the data processing apparatus 110 is configured to check the pointed memory region for determining any other capabilities pointing to other regions of the memory 115.
  • the data processing apparatus 110 may be configured to recursively look into these other pointed memory regions, until the complete set of all the capabilities has been found that the respective task 305a-c can access.
  • This is the protection domain, i.e. isolated memory compartment 115a-c of the respective task 305a-c. All the protection domains, i.e. memory compartments 115a-c are distinct, i.e. isolated from each other, meaning that a task 305a-c cannot access the memory compartment 115a-c of another task 305a-c.
  • a task 305a-c may have control of an exclusive region of the memory 115.
  • a task 305a-c can have a pointer to jump into a specific function of another task 305a-c.
  • two tasks 305a-c may share some portion of the memory 115, provided that the capabilities to this memory region prohibit reading or storing a capability.
  • the kernel 301 may have full access to the memory 115 (except to the memory compartment associated with the attestation core 303).
  • the protection domain i.e. the isolated memory compartment 115a-c of each task 305a-c is known in advance.
  • the network task 305c might, by way of example, share a buffer with another task 305a, b, but cannot share its internal state. In that case there can be a policy about how the protection domains, i.e. memory compartments 115a-c are setup.
  • all the memory compartments 115a-c may be initially measured and determined by scanning the whole memory 115 and deducing the different compartments based on the register files of each task 305a-c.
  • a security capability architecture such as a CHERI-based security capability architecture
  • This inherent feature of a security capability architecture as implemented by the data processing apparatus 110, makes it possible that the isolated memory compartments do not have to be monitored continuously, but only when a task 305a-c is passing control to another isolated memory compartment, i.e. in an event driven manner.
  • the kernel 301 may be configured to log the capability passed to another task 305a-c.
  • the kernel 301 of the data processing apparatus 110 is configured to allocate some portion of the memory 115 and construct a capability therefore.
  • the kernel 301 of the data processing apparatus 110 may update the isolated memory compartment 115a of the task 305a to take into account this new capability that the task 305a has obtained. The capability may then be passed on to the task 305a. As will be appreciated, this approach may lead to an over-approximation of the isolated memory compartment 115a of the task 305a.
  • a task 305a-c may have capabilities pointing to its code and stack.
  • the task 305a-c may call the malloc function and switch to the kernel memory compartment via the trampoline module 401 .
  • the malloc function may generate a new capability bounded to the size of the request region and returns the capability.
  • the trampoline module 401 is configured to provide the capability to the attestation core 303, which updates the protection domain measurement, i.e. the task integrity measurement data 125.
  • the trampoline module 401 may then return.
  • the blocks referred to as “pcc”, “csp”, and “cao” in figure are exemplary CPU registers implemented by the CHERI- based architecture according to an embodiment of the data processing apparatus 110.
  • the attestation core 303 of the data processing apparatus 110 is associated with a secure region of the memory 115, i.e. its own isolated memory compartment (similar to a resilience engine).
  • the attestation core 303 has full control over the memory 115 of the data processing apparatus 110, but the kernel 301 and the plurality of tasks 305a-c cannot tamper with the isolated memory compartment of the attestation core 303.
  • the memory compartment of the attestation core 303 is configured to securely store the task integrity measurement data 125 (even if the kernel 301 cannot be trusted).
  • the respective task 305a-c or the kernel 301 may use the “Clnvoke” mechanism provided by the CHERI-based architecture, which allows performing a secure transition between different memory compartments.
  • a task policy 145 may be defined by the vendor by listing all the expected memory compartments 115a-c, i.e. protection domains of the data processing apparatus 110.
  • the task policy 145 may define what each memory compartment 115a-c should have access to.
  • the task policy 145 may be created and made available by the vendor, for instance, via the provisioning server 130.
  • the attestation server 120 may compare the task policy 145 against the current task integrity measurement data 125 (provided by the data processing apparatus 110) for detecting any integrity violation of the isolated memory compartment zones 115a-c of the plurality of tasks 305a-c.
  • the so-called “Reachable Capability Monotonicity” property means that during the execution of any task 305a-c, the memory compartment 115a-c of the respective task 305a-c cannot increase, until execution is yielded to the memory compartment of another task 305a-c.
  • this is an implicit and, thus, always valid property of a security capability architecture, in particular a CHERI-based security capability architecture, which may be implemented by the data processing apparatus 110 according to an embodiment.
  • embodiments disclosed herein can be considered starting from a reference point and then monitor, i.e.
  • the monitoring of the respective memory compartments 115a-c implemented by the data processing apparatus 110 may provide an overestimate of the actual respective memory compartment 115a-c.
  • this is usually not an issue, because it is very likely that the embedded tasks 305a-c very rarely use dynamic allocation resulting in free memory.
  • the monitoring of the respective memory compartments 115a-c implemented by the data processing apparatus 110 should intercept all capabilities going into the respective memory compartment 115a-c. In an embodiment, this may be achieved by a trampoline module 401 , which may be implemented by the data processing apparatus 110 according to an embodiment and will be described in more detail in the following in the context of figure 4.
  • the processing unit 111 of the data processing apparatus 110 is configured to monitor the integrity of a respective isolated memory compartment 115a-c of the plurality of tasks 305a-c based on the trampoline module 401 implemented by a trampoline code.
  • the trampoline module 401 is invoked at each transition between the isolated memory compartments 115a-c of the plurality of tasks 305a-c and configured to report one or more capabilities exchanged between the isolated memory compartments 115a-c of the plurality of tasks 305a-c to the attestation core 303.
  • the communication interface 113 of the data processing apparatus 110 is configured to transmit the current task integrity measurement data 125 to the attestation server 120 each time when one of the memory compartments 115a-c of the plurality of tasks 305a-c is decreased for allowing the attestation server 120 to check the current task integrity measurement data 125 against the reference values defined by the task policy 145.
  • the RTOS 300 implemented by the data processing apparatus 110 adds the attestation core 303 and the trampoline module 401 for generating the task integrity measurement data 125.
  • the attestation core 303 is associated with its memory compartment, i.e. a secure region of the memory 115 isolated from everything else in the system (including the RTOS kernel 301).
  • the memory compartment of the attestation core 303 is configured to store the task integrity measurement data 125 as well as one or mor cryptographic keys 503 (illustrated in figure 5) for digitally signing the task integrity measurement data 125.
  • the attestation core 303 may be considered to provide an interface for adding a capability to a respective memory compartment 115a-c of the plurality of tasks 305a-c.
  • the purpose of the attestation core 303 of the data processing apparatus 110 is to ensure the integrity of the task integrity measurement data 125 in such a scenario (which would not be possible if the task integrity measurement data 125 would be stored, for instance, in the kernel 301).
  • the trampoline module 401 implemented by the processing unit 111 of the data processing apparatus 110 may be invoked at each transition between the isolated memory compartments 115a-c of the plurality of tasks 305a-c and configured to report one or more capabilities exchanged between the isolated memory compartments 115a-c of the plurality of tasks 305a-c to the attestation core 303.
  • the trampoline module 401 is a special function for securely switching to another memory compartment, i.e. protection domain during runtime. During this switching process the trampoline module 401 is further configured to record each capability that is passed to the new memory compartment by passing the respective capabilities to the attestation core 303 for generating the task integrity measurement data 125.
  • the processing unit 111 of the data processing apparatus 110 is configured to pass control from a memory compartment 115a-c of a respective task 305a-to another memory compartment 115a-c by jumping to the trampoline module 401.
  • the capabilities passed in this process to the new memory compartment may be forwarded to the attestation core 303.
  • the processing unit 111 of the data processing apparatus 110 is configured to add those capabilities to the portion of the task integrity measurement data 125 associated with the new memory compartment.
  • the task integrity measurement data 125 may be provided in the form of a memory compartment, i.e. protection domain table 125 describing what memory region each memory compartment 115a-c can access as well as the corresponding permissions.
  • This data structure in the form of the memory compartment table 125 may be updated with new capabilities and stored in the memory compartment of the attestation core 303.
  • One embodiment of storing the protection domain measurement efficiently can be a list of memory regions and the permissions over them as defined by the capabilities recorded by the attestation core 303. When a new capability is added to it, the list is updated in place and always maintains its optimal representation.
  • remote attestation is a process of conveying trustworthy evidence to a remote third-party verifier for attesting the integrity of a device, e.g. the data processing apparatus 110.
  • the communication interface 113 of the data processing apparatus 110 is configured to transmit the task integrity measurement data 125 indicative of the integrity of the memory compartments 115a-c of the plurality of tasks in a way that allows the attestation server 120 to check the authenticity of the task integrity measurement data 125.
  • the device’s code may be measured, and a cryptographic key tied to a hardware root of trust may be built from this measurement.
  • the vendor 130 may endorse the device 110 by emitting a certificate.
  • the key is stored in the attestation core 303, and cannot be accessed from anywhere else in the system.
  • the remote verifier 120 would need a proof of the integrity of the attestation core 30 itself.
  • embodiments disclosed herein may make use of a known DICE (device identifier composition engine) implementation 501 , which derives the signing key of the attestation core 303 based on a unique device identity (Unique Device Secret) and the hashes (representing the measurements) of the code loaded sequentially by each boot component up to and including the attestation core 303 itself.
  • a unique device identity Unique Device Secret
  • the hashes representing the measurements of the code loaded sequentially by each boot component up to and including the attestation core 303 itself.
  • the attestation core 303 is isolated from any other task 305a-c and the kernel 301 , it can be trusted that once loaded, its integrity remains preserved. Therefore, the loaded attestation core can use the thus-derived key to truthfully sign the measured/recorded capabilities.
  • the remote verifier 120 can verify them, once it has verified the combined device and attestation core identity based on the signed device certificate provided by the manufacturer 130.
  • the attestation server 120 may initiate a challenge-response mechanism, and the data processing apparatus 110 digitally signs the task integrity measurement data 125 along with a nonce received from the attestation server 120 and required for the challenge response mechanism.
  • the attestation server 120 receives the data 125 and checks that the key 503 used by the data processing apparatus 110 for digitally signing the data 125 and the nonce is based on a certificate received from the vendor, e.g. the provisioning server 130.
  • the attestation server compares the task integrity measurement data 125 with the reference values defined by the task policy 145 provided by the vendor, e.g. the provisioning server 130.
  • the attestation scheme implemented by the data processing apparatus 110 and the attestation server 120 is based on a Root of Trust for Measurement (RTM) for anchoring the attestation measurements, i.e. task integrity measurement data 125 in immutable hardware and reporting the task integrity measurement data 125 in a trustworthy way.
  • RTM Root of Trust for Measurement
  • the Device Identifier Composition Engine (DICE) RTM standard may be employed, as already described above and illustrated in figure 5.
  • a Trusted Platform Module (TPM) may be employed as the RTM standard.
  • TPM Trusted Platform Module
  • a unique and random key also referred to as the Unique Device Secret
  • Figure 6 is a flow diagram illustrating a method 600 for attesting the integrity of the data processing apparatus 110 according to an embodiment.
  • the data processing apparatus 110 is configured to perform the plurality of tasks 305a-c and comprises the processing unit 111 configured to operate the RTOS 300 based on a security capability architecture, wherein the RTOS 300 implements the kernel 301 , the attestation core 303 and the plurality of tasks 305a-c, wherein each task 305a-c, when executed, uses one or more of a plurality of capabilities defined by the security capability architecture.
  • the data processing apparatus 110 comprises the memory 115.
  • the method 600 comprises a step 601 of providing the plurality of isolated memory compartments of the memory 115, including the isolated memory compartment for the attestation core 303 and the respective isolated memory compartment 115a-c for each task 305a-c, wherein the isolated memory compartment 115a-c of each task 305a-c is defined by the one or more of the plurality of capabilities of the task 305a-c and data operated on by the one or more of the plurality of capabilities of the task 305a- c.
  • the method 600 comprises a step 603 of monitoring the integrity of the isolated memory compartments 115a-c of the plurality of tasks 305a-c for generating the task integrity measurement data 125 indicative of the integrity of the memory compartments 115a-c of the plurality of tasks 305a-c.
  • the method 600 can be implemented by the data processing apparatus 110, further features of the method 600 result directly from the functionality of the data processing apparatus 110 and its different embodiments described above and below.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the described embodiment of an apparatus is merely exemplary.
  • the unit division is merely logical function division and may be another division in an actual implementation.
  • a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed.
  • the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented by using some interfaces.
  • the indirect couplings or communication connections between the apparatuses or units may be implemented in electronic, mechanical, or other forms.
  • the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un appareil de traitement de données (110) pour effectuer une pluralité de tâches. L'appareil (110) comprend une unité de traitement (111) configurée pour faire fonctionner un RTOS sur la base d'une architecture de capacité de sécurité. Le RTOS met en œuvre un noyau, un noyau d'attestation et une pluralité de tâches. Chaque tâche utilise une pluralité de capacités définies par l'architecture de capacité de sécurité. De plus, l'appareil (110) comprend une mémoire (115) comprenant une pluralité de compartiments de mémoire, comprenant un compartiment de mémoire pour le noyau d'attestation et un compartiment de mémoire isolé respectif pour chaque tâche. Le compartiment de mémoire de chaque tâche est défini par la pluralité de capacités de la tâche et la pluralité de données exploitées par la tâche. L'unité de traitement (111) est configurée pour surveiller l'intégrité des compartiments de mémoire des tâches afin de générer des données de mesure d'intégrité de tâche (125) indiquant l'intégrité des compartiments de mémoire des tâches.
PCT/EP2022/079477 2022-10-21 2022-10-21 Appareil et procédé de traitement de données pour une attestation d'exécution WO2024083346A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2022/079477 WO2024083346A1 (fr) 2022-10-21 2022-10-21 Appareil et procédé de traitement de données pour une attestation d'exécution

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2022/079477 WO2024083346A1 (fr) 2022-10-21 2022-10-21 Appareil et procédé de traitement de données pour une attestation d'exécution

Publications (1)

Publication Number Publication Date
WO2024083346A1 true WO2024083346A1 (fr) 2024-04-25

Family

ID=84360477

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/079477 WO2024083346A1 (fr) 2022-10-21 2022-10-21 Appareil et procédé de traitement de données pour une attestation d'exécution

Country Status (1)

Country Link
WO (1) WO2024083346A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160350534A1 (en) * 2015-05-29 2016-12-01 Intel Corporation System, apparatus and method for controlling multiple trusted execution environments in a system
WO2017082966A1 (fr) * 2015-11-09 2017-05-18 Intel IP Corporation Carte à puce universelle intégrée sur des environnements informatiques mobiles
US20180183580A1 (en) * 2016-12-27 2018-06-28 Intel Corporation Provisioning keys for virtual machine secure enclaves
US20210081535A1 (en) * 2018-05-22 2021-03-18 Université Du Luxembourg Improved computing apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160350534A1 (en) * 2015-05-29 2016-12-01 Intel Corporation System, apparatus and method for controlling multiple trusted execution environments in a system
WO2017082966A1 (fr) * 2015-11-09 2017-05-18 Intel IP Corporation Carte à puce universelle intégrée sur des environnements informatiques mobiles
US20180183580A1 (en) * 2016-12-27 2018-06-28 Intel Corporation Provisioning keys for virtual machine secure enclaves
US20210081535A1 (en) * 2018-05-22 2021-03-18 Université Du Luxembourg Improved computing apparatus

Similar Documents

Publication Publication Date Title
Noorman et al. Sancus 2.0: A low-cost security architecture for iot devices
KR101547165B1 (ko) 디바이스 검사를 위한 장치, 방법 및 저장매체
US9177153B1 (en) Verifying integrity and guaranteeing execution of code on untrusted computer platform
US7953980B2 (en) Signed manifest for run-time verification of software program identity and integrity
Ammar et al. Simple: A remote attestation approach for resource-constrained iot devices
US8364973B2 (en) Dynamic generation of integrity manifest for run-time verification of software program
KR101458780B1 (ko) 다단계 락스텝 무결성 보고 메커니즘 제공
CN109871695A (zh) 一种计算与防护并行双体系结构的可信计算平台
CN110321713B (zh) 基于双体系架构的可信计算平台的动态度量方法和装置
US20080163212A1 (en) Paralleled management mode integrity checks
Böck et al. Towards more trustable log files for digital forensics by means of “trusted computing”
JP2012533128A (ja) セキュア仮想マシンを提供するためのシステムおよび方法
CN110334515B (zh) 一种基于可信计算平台生成度量报告的方法及装置
Jakobsson et al. Practical and secure software-based attestation
EP3217310A1 (fr) Attestation des environnements virtuels basé sur un hyperviseur
Banks et al. Remote attestation: A literature review
Li et al. Establishing software-only root of trust on embedded systems: facts and fiction
Surminski et al. Realswatt: Remote software-based attestation for embedded devices under realtime constraints
Larsen et al. Cloudvaults: Integrating trust extensions into system integrity verification for cloud-based environments
Nunes et al. On the TOCTOU problem in remote attestation
CN110334509B (zh) 双体系架构的可信计算平台的构建方法和装置
CN115879099A (zh) 一种dcs控制器、操作处理方法和防护子系统
US11748481B1 (en) Verifying the integrity of a computing platform
Neto et al. Isc-flat: On the conflict between control flow attestation and real-time operations
CN115879064A (zh) 一种程序运行方法、装置、处理器、芯片及电子设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22808760

Country of ref document: EP

Kind code of ref document: A1